Obtaining Certificates; Configuration Prerequisites; Configuration Guidelines; Configuration Procedure - HP 5920 Series Configuration Manual

Step
1. Enter system view.
2. Abort a certificate request.

Obtaining certificates

You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from
a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the
online mode:
In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and then
•
import them locally. This mode is suitable for the scenario where the CRL repository is not specified,
the CA server does not support SCEP, or the CA server generates the key pair for the certificates.
In online mode, you can obtain the CA certificate through SCEP and obtain local certificates or
•
peer certificates through LDAP.

Configuration prerequisites

Before you obtain local or peer certificates in online mode, specify the LDAP server for the PKI domain.
Before you obtain local or peer certificates in offline mode, complete the following tasks:
Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not
•
available, display and copy the certificate contents to a file. Make sure the certificate is in PEM
format because certificates only in PEM format can be imported by this means.
To import a local or peer certificate, a CA certificate chain must exist in the PKI domain, or be
•
carried in the local or peer certificate. If not, obtain it first.
To import a local certificate containing an encrypted key pair, you must provide the challenge
•
password. Contact the CA server administrator, if necessary.

Configuration guidelines

If a CA certificate already exists locally, you cannot obtain it again in online mode. To obtain a new
•
one, use pki delete-certificate to remove the CA certificate and local certificates, and then obtain
the CA certificate.
If a PKI domain already has local or peer certificates, you can still perform the obtain operation,
•
and the obtained local or peer certificates overwrite the existing ones. If RSA is used, a PKI domain
can have two local certificates, one for signature and the other for encryption.
If CRL checking is enabled, CRL checking is triggered when you obtain a certificate. If the certificate
•
to be obtained has been revoked, the certificate cannot be obtained.
The device compares the validity period of a certificate with the local system time to determine
•
whether the certificate is valid. Make sure the system time of the device is synchronized with the CA
server.

Configuration procedure

To obtain certificates:
Command
system-view
pki abort-certificate-request
domain domain-name
127
Remarks
N/A
This command is not saved in the
configuration file.